PageRenderTime 50ms CodeModel.GetById 23ms RepoModel.GetById 0ms app.codeStats 0ms

/index.php

https://bitbucket.org/ryanhowdy/family-connections
PHP | 712 lines | 473 code | 96 blank | 143 comment | 49 complexity | 25aa9a4039903c8bc5e1c5f1f81e30d8 MD5 | raw file
Possible License(s): Apache-2.0, GPL-2.0
  1. <?php
  2. /**
  3. * Family Connections - www.familycms.com
  4. *
  5. * PHP versions 4 and 5
  6. *
  7. * Copyright (C) 2007 Ryan Haudenschilt
  8. *
  9. * This program is free software; you can redistribute it and/or modify
  10. * it under the terms of the GNU General Public License as published by
  11. * the Free Software Foundation; either version 2 of the License, or
  12. * (at your option) any later version.
  13. *
  14. * This program is distributed in the hope that it will be useful,
  15. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. * GNU General Public License for more details.
  18. *
  19. * You should have received a copy of the GNU General Public License
  20. * along with this program; if not, write to the Free Software
  21. * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  22. *
  23. * @category FCMS
  24. * @package FamilyConnections
  25. * @author Ryan Haudenschilt <r.haudenschilt@gmail.com>
  26. * @copyright 2007 Haudenschilt LLC
  27. * @license http://www.gnu.org/licenses/gpl-2.0.html GPLv2
  28. * @link http://www.familycms.com/wiki/
  29. */
  30. session_start();
  31. // Site has NOT been installed yet
  32. if (!file_exists('inc/config_inc.php'))
  33. {
  34. displayNoConfig();
  35. return;
  36. }
  37. require 'fcms.php';
  38. load('facebook', 'socialmedia');
  39. setLanguage();
  40. control();
  41. return;
  42. /**
  43. * control
  44. *
  45. * @return void
  46. */
  47. function control ()
  48. {
  49. if (isset($_GET['lang']))
  50. {
  51. displayChangeLanguage();
  52. }
  53. elseif (isset($_GET['err']))
  54. {
  55. displayLoginError();
  56. }
  57. elseif (isset($_SESSION['login_id']) || isset($_COOKIE['fcms_login_id']))
  58. {
  59. displayAlreadyLoggedIn();
  60. }
  61. elseif (isset($_POST['submit']))
  62. {
  63. displayLoginSubmit();
  64. }
  65. else
  66. {
  67. displayLoginForm();
  68. }
  69. }
  70. /**
  71. * displayNoConfig
  72. *
  73. * @return void
  74. */
  75. function displayNoConfig ()
  76. {
  77. include_once 'inc/thirdparty/gettext.inc';
  78. // Setup php-gettext
  79. T_setlocale(LC_MESSAGES, 'en_US');
  80. T_bindtextdomain('messages', './language');
  81. T_bind_textdomain_codeset('messages', 'UTF-8');
  82. T_textdomain('messages');
  83. displayHeader(false);
  84. echo '
  85. <div id="oops">
  86. <h1>'.T_('Oops!').'</h1>
  87. <p>
  88. '.T_('This site hasn\'t been installed yet.').'
  89. <a href="install.php">'.T_('You must finish the installation before using the site.').'</a>
  90. </p>
  91. </div>
  92. </body>
  93. </html>';
  94. }
  95. /**
  96. * displayChangeLanguage
  97. *
  98. * Changes the language and redirects the page to the login form.
  99. *
  100. * @return void
  101. */
  102. function displayChangeLanguage ()
  103. {
  104. $_SESSION['language'] = $_GET['lang'];
  105. T_setlocale(LC_MESSAGES, $_SESSION['language']);
  106. header("Location: index.php");
  107. }
  108. /**
  109. * displayLoginError
  110. *
  111. * @return void
  112. */
  113. function displayLoginError ()
  114. {
  115. // Tried to access a page before logging in
  116. if ($_GET['err'] == 'login')
  117. {
  118. displayHeader();
  119. echo '
  120. <div class="err-msg">
  121. <h2>'.T_('Access Denied').'</h2>
  122. <p>'.T_('You must be logged in to view that page.').'</p>
  123. </div>';
  124. displayLogin();
  125. }
  126. // Site is turned off
  127. elseif ($_GET['err'] == 'off')
  128. {
  129. displayHeader();
  130. echo '
  131. <div class="err-msg">
  132. <h2>'.T_('Hold On a Second!').'</h2>
  133. <p>'.T_('The site has been closed by an administrator.').'</p>
  134. <p>'.T_('Please come back later.').'</p>
  135. </div>';
  136. displayLogin();
  137. }
  138. }
  139. /**
  140. * displayLoginSubmit
  141. *
  142. * @return void
  143. */
  144. function displayLoginSubmit ()
  145. {
  146. $user = escape_string($_POST['user']);
  147. $pass = escape_string($_POST['pass']);
  148. $redirect = 'home.php';
  149. $rem = 0;
  150. if (isset($_POST['rem']))
  151. {
  152. $rem = 1;
  153. }
  154. $pass = md5($pass);
  155. $sql = "SELECT `id`, `username`, `password`, `activated`, `locked`
  156. FROM `fcms_users`
  157. WHERE `username` = '$user'
  158. AND `password` = '$pass'";
  159. $result = mysql_query($sql);
  160. if (!$result)
  161. {
  162. displaySqlError($sql, mysql_error());
  163. return;
  164. }
  165. $login_check = mysql_num_rows($result);
  166. $row = mysql_fetch_array($result);
  167. // Wrong username and/or password
  168. if ($login_check <= 0)
  169. {
  170. handleBadLogin($user);
  171. return;
  172. }
  173. // User is active
  174. if ($row['activated'] > 0)
  175. {
  176. // Setup Cookie/Session
  177. if ($rem >= 1)
  178. {
  179. setcookie('fcms_login_id', $row['id'], time() + (30*(24*3600)), '/'); // 30 days
  180. setcookie('fcms_login_uname', $row['username'], time() + (30*(24*3600)), '/'); // 30 days
  181. setcookie('fcms_login_pw', $row['password'], time() + (30*(24*3600)), '/'); // 30 days
  182. }
  183. $_SESSION['login_id'] = $row['id'];
  184. $_SESSION['login_uname'] = $row['username'];
  185. $_SESSION['login_pw'] = $row['password'];
  186. // Update activity
  187. $sql = "UPDATE `fcms_users`
  188. SET `activity` = NOW()
  189. WHERE `id` = ".$row['id'];
  190. if (!mysql_query($sql))
  191. {
  192. displaySqlError($sql, mysql_error());
  193. // We can continue on this error
  194. }
  195. // Reset invalid login attempts
  196. $sql = "UPDATE `fcms_users`
  197. SET `login_attempts` = '0'
  198. WHERE `id` = ".$row['id'];
  199. if (!mysql_query($sql))
  200. {
  201. displaySqlError($sql, mysql_error());
  202. // We can continue on this error
  203. }
  204. // Redirect to desired page
  205. header("Location: $redirect");
  206. }
  207. // User has been locked out for failed attempts
  208. elseif ($row['activated'] < 0)
  209. {
  210. // User's lockout has ended
  211. if (gmdate('YmdHis') > gmdate('YmdHis', strtotime($row['locked'])))
  212. {
  213. // Set user as active
  214. $sql = "UPDATE `fcms_users`
  215. SET `activated` = '1'
  216. WHERE `id` = ".$row['id'];
  217. if (!mysql_query($sql))
  218. {
  219. displaySqlError($sql, mysql_error());
  220. die();
  221. }
  222. // Setup Cookie/Session
  223. if ($rem >= 1)
  224. {
  225. setcookie('fcms_login_id', $row['id'], time() + (30*(24*3600)), '/'); // 30 days
  226. setcookie('fcms_login_uname', $row['username'], time() + (30*(24*3600)), '/'); // 30 days
  227. setcookie('fcms_login_pw', $row['password'], time() + (30*(24*3600)), '/'); // 30 days
  228. }
  229. $_SESSION['login_id'] = $row['id'];
  230. $_SESSION['login_uname'] = $row['username'];
  231. $_SESSION['login_pw'] = $row['password'];
  232. // Update activity
  233. $sql = "UPDATE `fcms_users`
  234. SET `activity` = NOW()
  235. WHERE `id` = ".$row['id'];
  236. if (!mysql_query($sql))
  237. {
  238. displaySqlError($sql, mysql_error());
  239. // We can continue on this error
  240. }
  241. // Reset invalid login attempts
  242. $sql = "UPDATE `fcms_users`
  243. SET `login_attempts` = '0'
  244. WHERE `id` = ".$row['id'];
  245. if (!mysql_query($sql))
  246. {
  247. displaySqlError($sql, mysql_error());
  248. // We can continue on this error
  249. }
  250. // Redirect to desired page
  251. header("Location: $redirect");
  252. }
  253. // User is still locked out
  254. else
  255. {
  256. displayLockedOut();
  257. }
  258. }
  259. // User is not active
  260. else
  261. {
  262. displayNotActive();
  263. }
  264. }
  265. /**
  266. * displayAlreadyLoggedIn
  267. *
  268. * @return void
  269. */
  270. function displayAlreadyLoggedIn ()
  271. {
  272. if (isset($_COOKIE['fcms_login_id']))
  273. {
  274. $_SESSION['login_id'] = (int)$_COOKIE['fcms_login_id'];
  275. $_SESSION['login_uname'] = escape_string($_COOKIE['fcms_login_uname']);
  276. $_SESSION['login_pw'] = escape_string($_COOKIE['fcms_login_pw']);
  277. }
  278. // Update activity
  279. $sql = "UPDATE `fcms_users`
  280. SET `activity` = NOW()
  281. WHERE `id` = '".(int)$_SESSION['login_id']."'";
  282. if (!mysql_query($sql))
  283. {
  284. displaySqlError($sql, mysql_error());
  285. // We can continue on this error
  286. }
  287. // Reset invalid login attempts
  288. $sql = "UPDATE `fcms_users`
  289. SET `login_attempts` = '0'
  290. WHERE `id` = '".(int)$_SESSION['login_id']."'";
  291. if (!mysql_query($sql))
  292. {
  293. displaySqlError($sql, mysql_error());
  294. // We can continue on this error
  295. }
  296. // Redirect to desired page
  297. header("Location: home.php");
  298. }
  299. /**
  300. * displayHeader
  301. *
  302. * @param boolean $login Are we displaying the login screen?
  303. *
  304. * @return void
  305. */
  306. function displayHeader($login = true)
  307. {
  308. if ($login)
  309. {
  310. $sitename = getSiteName().' - '.T_('powered by').' '.getCurrentVersion();
  311. $js = ' onload="document.getElementById(\'user\').focus()"';
  312. }
  313. else
  314. {
  315. // Don't translate
  316. $sitename = 'Family Connections';
  317. $js = '';
  318. }
  319. echo '
  320. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  321. <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="'.T_('lang').'" lang="'.T_('lang').'">
  322. <head>
  323. <title>'.$sitename.'</title>
  324. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
  325. <meta name="author" content="Ryan Haudenschilt"/>
  326. <link rel="shortcut icon" href="ui/favicon.ico"/>
  327. <link rel="stylesheet" type="text/css" href="ui/fcms-core.css"/>
  328. </head>
  329. <body'.$js.'>';
  330. }
  331. /**
  332. * displayLoginForm
  333. *
  334. * @return void
  335. */
  336. function displayLoginForm ()
  337. {
  338. handleFacebookLogin();
  339. displayHeader();
  340. displayLogin();
  341. }
  342. /**
  343. * displayLogin
  344. *
  345. * @return void
  346. */
  347. function displayLogin()
  348. {
  349. $sitename = getSiteName();
  350. if (isset($_GET['url']))
  351. {
  352. $hidden = '<input type="hidden" name="url" id="url" value="'.cleanOutput($_GET['url']).'"/>';
  353. }
  354. else
  355. {
  356. $hidden = '';
  357. }
  358. // Get available languages
  359. $lang_dir = "language/";
  360. $lang_options = '';
  361. if (is_dir($lang_dir))
  362. {
  363. if ($dh = opendir($lang_dir))
  364. {
  365. while (($file = readdir($dh)) !== false)
  366. {
  367. // Skip directories that start with a period
  368. if ($file[0] === '.')
  369. {
  370. continue;
  371. }
  372. // Skip files (messages.pot)
  373. if (!is_dir("$lang_dir$file"))
  374. {
  375. continue;
  376. }
  377. // Skip directories that don't include a messages.mo file
  378. if (!file_exists($lang_dir.$file.'/LC_MESSAGES/messages.mo'))
  379. {
  380. continue;
  381. }
  382. $arr[$file] = getLangName($file);
  383. }
  384. closedir($dh);
  385. asort($arr);
  386. foreach ($arr as $key => $val)
  387. {
  388. $lang_options .= '<option value="'.$key.'"';
  389. if (isset($_SESSION['language']))
  390. {
  391. if ($_SESSION['language'] == $key)
  392. {
  393. $lang_options .= ' selected="selected"';
  394. }
  395. }
  396. $lang_options .= '>'.$val.'</option>';
  397. }
  398. }
  399. }
  400. $forgotPassLink = '<a href="lostpw.php">'.T_('Forgot Password?').'</a>';
  401. $registerLink = '';
  402. $facebookLogin = '';
  403. if (isRegistrationOn())
  404. {
  405. $registerLink = ' | <a href="register.php">'.T_('Register').'</a>';
  406. }
  407. $fbData = getFacebookConfigData();
  408. $params = array('scope' => 'user_about_me,user_birthday,user_location,email,publish_stream,offline_access');
  409. // Print the facebook register button
  410. if (!empty($fbData['fb_app_id']) && !empty($fbData['fb_secret']))
  411. {
  412. $facebook = new Facebook(array(
  413. 'appId' => $fbData['fb_app_id'],
  414. 'secret' => $fbData['fb_secret'],
  415. ));
  416. $facebookLogin = '<a href="'.$facebook->getLoginUrl($params).'" title="'.T_('Login using Facebook').'"><img src="ui/images/facebook_tiny.png"/></a>';
  417. }
  418. echo '
  419. <div id="login_box">
  420. <h1 id="login_header">'.T_('Login to').' '.$sitename.'</h1>
  421. <form action="index.php" method="post">
  422. <div style="float:right">
  423. <select style="background-color:#e9f3fb; border:none;"
  424. onchange="window.location.href=\'?lang=\'+this.options[this.selectedIndex].value;">
  425. <option>'.T_('Language').':</option>
  426. '.$lang_options.'
  427. </select>
  428. </div>
  429. <p><label for="user">'.T_('Username').':</label><input type="text" name="user" id="user"/></p>
  430. <p><label for="pass">'.T_('Password').':</label><input type="password" name="pass" id="pass"/></p>
  431. <p>
  432. <label class="rem" for="rem">'.T_('Remember Me').'</label>
  433. <input class="rem" name="rem" id="rem" type="checkbox" value="1"/>
  434. '.$hidden.'
  435. <input type="submit" name="submit" id="submit" value="'.T_('Login').'"/>
  436. </p>
  437. <div class="clear"></div>
  438. </form>
  439. <p style="text-align:center; margin-bottom:20px;">'.$forgotPassLink.$registerLink.'</p>
  440. <div style="color:silver; font-size:11px; float:left;">'.getCurrentVersion().'</div>
  441. <div style="float:right">
  442. '.$facebookLogin.'
  443. </div>
  444. </div>
  445. </body>
  446. </html>';
  447. }
  448. /**
  449. * handleBadLogin
  450. *
  451. * @param string $user The username login being attempted on
  452. *
  453. * @return void
  454. */
  455. function handleBadLogin ($user)
  456. {
  457. $sql = "SELECT `id`, `login_attempts`
  458. FROM `fcms_users`
  459. WHERE `username` = '$user'";
  460. $result = mysql_query($sql);
  461. if (!$result)
  462. {
  463. displaySqlError($sql, mysql_error());
  464. return;
  465. }
  466. $valid_username = mysql_num_rows($result);
  467. // valid username, wrong password
  468. if ($valid_username > 0)
  469. {
  470. $r = mysql_fetch_array($result);
  471. // user exceeded max login attempts
  472. if ($r['login_attempts'] > 4)
  473. {
  474. // Lock users account
  475. $sql = "UPDATE `fcms_users`
  476. SET `activated` = '-1', `locked` = DATE_ADD(NOW(), INTERVAL 1 HOUR)
  477. WHERE `id` = ".$r['id'];
  478. if (!mysql_query($sql))
  479. {
  480. displaySqlError($sql, mysql_error());
  481. return;
  482. }
  483. displayLockedOut();
  484. return;
  485. }
  486. // Increase login attempts
  487. $sql = "UPDATE `fcms_users`
  488. SET `login_attempts` = `login_attempts`+1
  489. WHERE `id` = ".$r['id'];
  490. if (!mysql_query($sql))
  491. {
  492. displaySqlError($sql, mysql_error());
  493. return;
  494. }
  495. }
  496. displayHeader();
  497. echo '
  498. <div class="err-msg">
  499. <h2>'.T_('Oops!').'</h2/>
  500. <p>'.T_('That login information wasn\'t quite right.').'</p>
  501. <p>'.T_('Be sure and check that you typed your username/password correctly.').'</p>
  502. </div>';
  503. displayLogin();
  504. }
  505. /**
  506. * handleFacebookLogin
  507. *
  508. * @return void
  509. */
  510. function handleFacebookLogin ()
  511. {
  512. $fbData = getFacebookConfigData();
  513. if (empty($fbData['fb_app_id']) || empty($fbData['fb_secret']))
  514. {
  515. return;
  516. }
  517. $facebook = new Facebook(array(
  518. 'appId' => $fbData['fb_app_id'],
  519. 'secret' => $fbData['fb_secret'],
  520. ));
  521. // Check if the user is logged in and authed
  522. $fbUser = $facebook->getUser();
  523. $fbProfile = '';
  524. if ($fbUser)
  525. {
  526. try
  527. {
  528. $fbProfile = $facebook->api('/me');
  529. }
  530. catch (FacebookApiException $e)
  531. {
  532. $fbUser = null;
  533. }
  534. }
  535. // User isn't logged in, or authed
  536. if (!$fbUser)
  537. {
  538. return;
  539. }
  540. $accessToken = $facebook->getAccessToken();
  541. $sql = "SELECT u.`id`, u.`username`, u.`password`, u.`activated`, u.`locked`
  542. FROM `fcms_users` AS u, `fcms_user_settings` AS s
  543. WHERE s.`user` = u.`id`
  544. AND (
  545. u.`username` = '".$fbProfile['email']."'
  546. OR s.`fb_access_token` = '$accessToken'
  547. )";
  548. $result = mysql_query($sql);
  549. if (!$result)
  550. {
  551. displaySqlError($sql, mysql_error());
  552. return;
  553. }
  554. if (mysql_num_rows($result) <= 0)
  555. {
  556. echo '
  557. <div class="err-msg">
  558. <h2>'.T_('Oops!').'</h2>
  559. <p>'.T_('Your account hasn\'t been connected to Facebook yet. You need to connect your existing account with Facebook or register a new account using Facebook.').'</p>
  560. </div>';
  561. return;
  562. }
  563. $row = mysql_fetch_array($result);
  564. // Check account is active
  565. if ($row['activated'] == 0)
  566. {
  567. displayNotActive();
  568. die(); // we don't want to return to displaying the login, we already did
  569. }
  570. // We made it past all the checks, then the user can be logged in
  571. // Update activity
  572. $sql = "UPDATE `fcms_users`
  573. SET `activity` = NOW()
  574. WHERE `id` = ".$row['id'];
  575. if (!mysql_query($sql))
  576. {
  577. displaySqlError($sql, mysql_error());
  578. return;
  579. }
  580. // Login the user
  581. $_SESSION['login_id'] = $row['id'];
  582. $_SESSION['login_uname'] = $row['username'];
  583. $_SESSION['login_pw'] = $row['password'];
  584. header("Location: home.php");
  585. }
  586. /**
  587. * displayNotActive
  588. *
  589. * @return void
  590. */
  591. function displayNotActive ()
  592. {
  593. displayHeader();
  594. echo '
  595. <div class="err-msg">
  596. <h2>'.T_('Not So Fast').'</h2>
  597. <p>'.T_('Your account isn\'t active yet. Your website administrator must activate your account before you can login and begin using the website.').'</p>
  598. </div>';
  599. displayLogin();
  600. }
  601. /**
  602. * displayLockedOut
  603. *
  604. * @return void
  605. */
  606. function displayLockedOut ()
  607. {
  608. displayHeader();
  609. echo '
  610. <div class="err-msg">
  611. <h2>'.T_('Hold On a Second!').'</h2>
  612. <p>'.T_('You have exceeded the number of allowed login attempts.').'</p>
  613. <p>'.T_('Your account has been locked for 1 hour.').'</p>
  614. </div>';
  615. displayLogin();
  616. }